Malwoverview Feuille de chaleur
Aperçu général
Malwoverview est un outil complet de chasse aux menaces et d'analyse des logiciels malveillants conçu pour fournir aux analystes de sécurité des informations détaillées sur les fichiers suspects, les URL et les menaces potentielles. Développé en tant qu'utilitaire de ligne de commande basé sur Python, Malwoverview s'intègre à de multiples plateformes de renseignement sur les menaces et services d'analyse de logiciels malveillants pour fournir des évaluations complètes des menaces. L'outil sert d'interface centralisée pour interroger divers services de sécurité, permettant aux analystes de recueillir rapidement des renseignements sur les menaces potentielles sans accéder manuellement à plusieurs plateformes.
La force principale de l'outil réside dans sa capacité d'agréger des renseignements sur les menaces provenant de diverses sources, dont VirusTotal, Hybrid Analysis, URLVoid, Shodan et d'autres services de sécurité. Cette capacité de regroupement permet aux professionnels de la sécurité d'obtenir une vision globale des menaces potentielles en corrélant l'information provenant de plusieurs sources faisant autorité. Malwoverview prend en charge l'analyse de divers types d'artefacts, y compris les hachages de fichiers, les URL, les adresses IP et les domaines, ce qui le rend polyvalent pour différents scénarios de chasse aux menaces.
Malwoverview est particulièrement utile dans les scénarios d'intervention en cas d'incident où une évaluation rapide des menaces est essentielle. Les capacités d'interrogation automatisées de l'outil peuvent réduire considérablement le temps nécessaire pour recueillir des renseignements sur les menaces, ce qui permet aux analystes de se concentrer sur l'analyse et la prise de décisions plutôt que sur la collecte manuelle de données. L'outil fournit également des formats de sortie structurés qui peuvent être facilement intégrés dans les plates-formes d'orchestration de sécurité et les workflows de réponse incidente.
Le cadre prend en charge les modes de traitement interactif et par lots, ce qui permet aux analystes d'effectuer une analyse à un seul objet ou de traiter efficacement de gros ensembles de données. Son architecture modulaire permet une extension et une personnalisation faciles, ce qui la rend adaptable aux exigences organisationnelles spécifiques et aux flux de travail du renseignement de menace. Les capacités d'enregistrement et de rapport de l'outil fournissent des pistes de vérification et facilitent le partage des connaissances entre les équipes de sécurité.
Installation
Préalables
# Install Python and pip
sudo apt update
sudo apt install python3 python3-pip git
# Install required Python packages
pip3 install requests colorama configparser pefile python-magic
# Install additional dependencies
sudo apt install libmagic1 libmagic-dev
# For CentOS/RHEL
sudo yum install python3 python3-pip git file-devel
pip3 install requests colorama configparser pefile python-magic
# For macOS
brew install python3 git libmagic
pip3 install requests colorama configparser pefile python-magic
Installation standard
# Clone Malwoverview repository
git clone https://github.com/alexandreborges/malwoverview.git
cd malwoverview
# Install Python dependencies
pip3 install -r requirements.txt
# Make executable
chmod +x malwoverview.py
# Test installation
python3 malwoverview.py --help
# Create symbolic link for system-wide access
sudo ln -s $(pwd)/malwoverview.py /usr/local/bin/malwoverview
```_
### Installation d'environnement virtuel
```bash
# Create virtual environment
python3 -m venv malwoverview-env
source malwoverview-env/bin/activate
# Clone and install
git clone https://github.com/alexandreborges/malwoverview.git
cd malwoverview
pip install -r requirements.txt
# Create activation script
cat << 'EOF' > activate-malwoverview.sh
#!/bin/bash
source /path/to/malwoverview-env/bin/activate
cd /path/to/malwoverview
python3 malwoverview.py "$@"
EOF
chmod +x activate-malwoverview.sh
```_
### Installation Docker
```bash
# Create Dockerfile
cat << 'EOF' > Dockerfile
FROM python:3.9-slim
RUN apt-get update && apt-get install -y \
git \
libmagic1 \
libmagic-dev \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
RUN git clone https://github.com/alexandreborges/malwoverview.git .
RUN pip install -r requirements.txt
ENTRYPOINT ["python3", "malwoverview.py"]
EOF
# Build image
docker build -t malwoverview .
# Run container
docker run --rm -it -v $(pwd)/config:/app/config malwoverview --help
# Create alias
echo 'alias malwoverview="docker run --rm -it -v $(pwd)/config:/app/config malwoverview"' >> ~/.bashrc
Configuration Configuration
# Create configuration directory
mkdir -p ~/.malwoverview
# Create API configuration file
cat << 'EOF' > ~/.malwoverview/malwoverview.conf
[VIRUSTOTAL]
vtapi = your_virustotal_api_key
[HYBRIDANALYSIS]
haapi = your_hybrid_analysis_api_key
[URLVOID]
urlvoidapi = your_urlvoid_api_key
[SHODAN]
shodanapi = your_shodan_api_key
[MALSHARE]
malshareapi = your_malshare_api_key
[POLYSWARM]
polyswarmapi = your_polyswarm_api_key
[ALIENVAULT]
alienvaultapi = your_alienvault_api_key
EOF
# Set proper permissions
chmod 600 ~/.malwoverview/malwoverview.conf
Utilisation de base
Interface de ligne de commande
# Show help
malwoverview --help
python3 malwoverview.py -h
# Show version
malwoverview --version
# Basic file analysis
malwoverview -f /path/to/suspicious_file.exe
# Hash analysis
malwoverview -H md5_hash_here
malwoverview -H sha1_hash_here
malwoverview -H sha256_hash_here
# URL analysis
malwoverview -u http://suspicious-domain.com
# IP address analysis
malwoverview -i 192.168.1.100
# Domain analysis
malwoverview -d suspicious-domain.com
Options de configuration
# Use custom configuration file
malwoverview -c /path/to/custom.conf -f file.exe
# Specify output format
malwoverview -f file.exe -o json
malwoverview -f file.exe -o csv
malwoverview -f file.exe -o xml
# Enable verbose output
malwoverview -v -f file.exe
# Quiet mode
malwoverview -q -f file.exe
# Save output to file
malwoverview -f file.exe > analysis_report.txt
malwoverview -f file.exe -o json > report.json
Analyse de fichier
Analyse de fichier unique
# Analyze executable file
malwoverview -f /path/to/malware.exe
# Analyze document
malwoverview -f /path/to/document.pdf
# Analyze script
malwoverview -f /path/to/script.js
# Analyze with specific engines
malwoverview -f file.exe --engines virustotal,hybridanalysis
# Force analysis even if cached
malwoverview -f file.exe --force
# Include metadata extraction
malwoverview -f file.exe --metadata
Analyse de fichier par lots
# Analyze multiple files
malwoverview -f file1.exe file2.dll file3.pdf
# Analyze directory
malwoverview -d /path/to/malware_samples/
# Recursive directory analysis
malwoverview -d /path/to/samples/ --recursive
# Filter by file type
malwoverview -d /path/to/samples/ --filter "*.exe,*.dll"
# Exclude certain files
malwoverview -d /path/to/samples/ --exclude "*.txt,*.log"
# Parallel processing
malwoverview -d /path/to/samples/ --threads 5
Analyse basée sur le Hash
# MD5 hash analysis
malwoverview -H 5d41402abc4b2a76b9719d911017c592
# SHA1 hash analysis
malwoverview -H aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
# SHA256 hash analysis
malwoverview -H 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
# Multiple hashes
malwoverview -H hash1,hash2,hash3
# Hash list from file
malwoverview -H @hash_list.txt
# Specific hash type
malwoverview -H hash_value --hash-type sha256
Analyse des réseaux
Analyse des URL
# Single URL analysis
malwoverview -u http://suspicious-site.com
# Multiple URLs
malwoverview -u http://site1.com,http://site2.com
# URL list from file
malwoverview -u @url_list.txt
# Include screenshot
malwoverview -u http://site.com --screenshot
# Check redirects
malwoverview -u http://site.com --follow-redirects
# Custom user agent
malwoverview -u http://site.com --user-agent "Mozilla/5.0..."
Analyse des adresses IP
# Single IP analysis
malwoverview -i 192.168.1.100
# Multiple IPs
malwoverview -i 192.168.1.100,10.0.0.1
# IP range analysis
malwoverview -i 192.168.1.0/24
# Include geolocation
malwoverview -i 192.168.1.100 --geolocation
# Port scanning
malwoverview -i 192.168.1.100 --ports
# Include WHOIS information
malwoverview -i 192.168.1.100 --whois
Analyse de domaine
# Domain reputation check
malwoverview -d suspicious-domain.com
# Include subdomains
malwoverview -d domain.com --subdomains
# DNS analysis
malwoverview -d domain.com --dns
# Certificate analysis
malwoverview -d domain.com --certificate
# Historical data
malwoverview -d domain.com --historical
# Passive DNS
malwoverview -d domain.com --passive-dns
Analyse avancée
Renseignements sur les menaces Intégration
# VirusTotal analysis
malwoverview -f file.exe --vt-only
# Hybrid Analysis
malwoverview -f file.exe --ha-only
# Multiple engines
malwoverview -f file.exe --engines vt,ha,urlvoid
# Custom API keys
malwoverview -f file.exe --vt-api your_api_key
# Rate limiting
malwoverview -f file.exe --rate-limit 4
# Timeout settings
malwoverview -f file.exe --timeout 30
Extraction de métadonnées
# Extract PE metadata
malwoverview -f file.exe --pe-info
# Extract strings
malwoverview -f file.exe --strings
# Extract imports
malwoverview -f file.exe --imports
# Extract exports
malwoverview -f file.exe --exports
# Extract resources
malwoverview -f file.exe --resources
# Extract certificates
malwoverview -f file.exe --certificates
# All metadata
malwoverview -f file.exe --all-metadata
Analyse comportementale
# Dynamic analysis
malwoverview -f file.exe --dynamic
# Sandbox analysis
malwoverview -f file.exe --sandbox cuckoo
# Network behavior
malwoverview -f file.exe --network-behavior
# File system behavior
malwoverview -f file.exe --fs-behavior
# Registry behavior
malwoverview -f file.exe --registry-behavior
# Process behavior
malwoverview -f file.exe --process-behavior
Rapports et produits
Formats de sortie
# JSON output
malwoverview -f file.exe -o json
# CSV output
malwoverview -f file.exe -o csv
# XML output
malwoverview -f file.exe -o xml
# HTML report
malwoverview -f file.exe -o html
# PDF report
malwoverview -f file.exe -o pdf
# Custom template
malwoverview -f file.exe --template custom_template.jinja2
Personnalisation des rapports
# Include specific sections
malwoverview -f file.exe --sections detection,metadata,behavior
# Exclude sections
malwoverview -f file.exe --exclude-sections strings,imports
# Custom report title
malwoverview -f file.exe --title "Malware Analysis Report"
# Add analyst information
malwoverview -f file.exe --analyst "John Doe" --organization "Security Team"
# Include timestamps
malwoverview -f file.exe --timestamps
# Add executive summary
malwoverview -f file.exe --executive-summary
Exportation de données
# Export to database
malwoverview -f file.exe --export-db sqlite:///analysis.db
# Export to SIEM
malwoverview -f file.exe --export-siem splunk
# Export to MISP
malwoverview -f file.exe --export-misp http://misp-server.com
# Export IOCs
malwoverview -f file.exe --export-iocs iocs.txt
# Export YARA rules
malwoverview -f file.exe --export-yara rules.yar
# Export STIX
malwoverview -f file.exe --export-stix report.stix
Automatisation et écriture
Traitement par lots
# Process hash list
cat << 'EOF' > hash_list.txt
5d41402abc4b2a76b9719d911017c592
aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
EOF
malwoverview -H @hash_list.txt -o json > batch_results.json
# Process URL list
cat << 'EOF' > url_list.txt
http://suspicious-site1.com
http://malicious-domain.net
http://phishing-site.org
EOF
malwoverview -u @url_list.txt -o csv > url_analysis.csv
Scripts d'automatisation
#!/bin/bash
# Automated malware analysis script
cat << 'EOF' > analyze_samples.sh
#!/bin/bash
SAMPLE_DIR="/path/to/samples"
OUTPUT_DIR="/path/to/reports"
DATE=$(date +%Y%m%d_%H%M%S)
# Create output directory
mkdir -p "$OUTPUT_DIR/$DATE"
# Analyze all samples
for file in "$SAMPLE_DIR"/*; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "Analyzing $filename..."
malwoverview -f "$file" -o json > "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}.json"
malwoverview -f "$file" -o html > "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}.html"
# Extract IOCs
malwoverview -f "$file" --export-iocs "$OUTPUT_DIR/$DATE/$\\\\{filename\\\\}_iocs.txt"
fi
done
# Generate summary report
python3 generate_summary.py "$OUTPUT_DIR/$DATE" > "$OUTPUT_DIR/$DATE/summary.html"
echo "Analysis complete. Reports saved to $OUTPUT_DIR/$DATE"
EOF
chmod +x analyze_samples.sh
Intégration de Python
#!/usr/bin/env python3
# Python wrapper for Malwoverview
import subprocess
import json
import sys
class MalwoverviewAPI:
def __init__(self, config_file=None):
self.config_file = config_file
self.base_cmd = ['python3', 'malwoverview.py']
if config_file:
self.base_cmd.extend(['-c', config_file])
def analyze_file(self, file_path, output_format='json'):
cmd = self.base_cmd + ['-f', file_path, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")
def analyze_hash(self, hash_value, output_format='json'):
cmd = self.base_cmd + ['-H', hash_value, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")
def analyze_url(self, url, output_format='json'):
cmd = self.base_cmd + ['-u', url, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")
# Usage example
if __name__ == "__main__":
api = MalwoverviewAPI()
# Analyze file
try:
result = api.analyze_file('/path/to/sample.exe')
print(f"Detection ratio: \\\\{result.get('detection_ratio', 'N/A')\\\\}")
print(f"Threat level: \\\\{result.get('threat_level', 'N/A')\\\\}")
except Exception as e:
print(f"Error: \\\\{e\\\\}")
Exemples d'intégration
SIEM Intégration
# Splunk integration
#!/bin/bash
cat << 'EOF' > splunk_integration.sh
#!/bin/bash
# Analyze file and send to Splunk
analyze_and_send() \\\\{
local file="$1"
local splunk_index="malware_analysis"
# Analyze file
result=$(malwoverview -f "$file" -o json)
# Send to Splunk
echo "$result"|curl -k -H "Authorization: Splunk $SPLUNK_TOKEN" \
-X POST "$SPLUNK_HEC_URL/services/collector" \
-d @- \
-H "Content-Type: application/json"
\\\\}
# Monitor directory for new samples
inotifywait -m -e create /path/to/samples --format '%w%f'|while read file; do
analyze_and_send "$file"
done
EOF
chmod +x splunk_integration.sh
Intégration MISP
#!/usr/bin/env python3
# MISP integration script
import requests
import json
import subprocess
from pymisp import PyMISP
class MalwoverviewMISP:
def __init__(self, misp_url, misp_key):
self.misp = PyMISP(misp_url, misp_key, ssl=False)
def analyze_and_create_event(self, file_path, event_info):
# Analyze with Malwoverview
cmd = ['malwoverview', '-f', file_path, '-o', 'json']
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode != 0:
raise Exception(f"Analysis failed: \\\\{result.stderr\\\\}")
analysis_data = json.loads(result.stdout)
# Create MISP event
event = self.misp.new_event(info=event_info)
# Add file hash
if 'md5' in analysis_data:
self.misp.add_hashes(event, md5=analysis_data['md5'])
if 'sha1' in analysis_data:
self.misp.add_hashes(event, sha1=analysis_data['sha1'])
if 'sha256' in analysis_data:
self.misp.add_hashes(event, sha256=analysis_data['sha256'])
# Add detection information
if 'detections' in analysis_data:
for detection in analysis_data['detections']:
self.misp.add_attribute(event, 'text', detection['name'])
# Add network indicators
if 'network_indicators' in analysis_data:
for indicator in analysis_data['network_indicators']:
if indicator['type'] == 'domain':
self.misp.add_attribute(event, 'domain', indicator['value'])
elif indicator['type'] == 'ip':
self.misp.add_attribute(event, 'ip-dst', indicator['value'])
elif indicator['type'] == 'url':
self.misp.add_attribute(event, 'url', indicator['value'])
return event
# Usage
misp_integration = MalwoverviewMISP('https://misp.example.com', 'your_api_key')
event = misp_integration.analyze_and_create_event('/path/to/malware.exe', 'Malware Analysis')
Chasse à la menace Flux de travail
#!/bin/bash
# Automated threat hunting workflow
cat << 'EOF' > threat_hunting.sh
#!/bin/bash
HUNT_DIR="/tmp/threat_hunt_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$HUNT_DIR"
# Function to analyze suspicious files
hunt_files() \\\\{
echo "Hunting for suspicious files..."
# Find recently modified executables
find /tmp /var/tmp -name "*.exe" -mtime -1 2>/dev/null|while read file; do
echo "Analyzing: $file"
malwoverview -f "$file" -o json > "$HUNT_DIR/$(basename $file).json"
done
# Find files with suspicious names
find / -name "*crypt*" -o -name "*hack*" -o -name "*payload*" 2>/dev/null|while read file; do
if [ -f "$file" ]; then
echo "Analyzing suspicious file: $file"
malwoverview -f "$file" -o json > "$HUNT_DIR/suspicious_$(basename $file).json"
fi
done
\\\\}
# Function to analyze network connections
hunt_network() \\\\{
echo "Hunting for suspicious network activity..."
# Get active connections
netstat -an|grep ESTABLISHED|awk '\\\\{print $5\\\\}'|cut -d: -f1|sort -u|while read ip; do
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Analyzing IP: $ip"
malwoverview -i "$ip" -o json > "$HUNT_DIR/ip_$ip.json"
fi
done
\\\\}
# Function to analyze suspicious domains
hunt_domains() \\\\{
echo "Hunting for suspicious domains..."
# Extract domains from browser history, logs, etc.
grep -h "http" /var/log/*.log 2>/dev/null|grep -oE 'https?://[^/]+'|cut -d/ -f3|sort -u|while read domain; do
echo "Analyzing domain: $domain"
malwoverview -d "$domain" -o json > "$HUNT_DIR/domain_$domain.json"
done
\\\\}
# Execute hunting functions
hunt_files
hunt_network
hunt_domains
# Generate summary report
echo "Generating threat hunting report..."
python3 << 'PYTHON'
import json
import glob
import os
hunt_dir = os.environ.get('HUNT_DIR', '/tmp/threat_hunt_latest')
results = []
for json_file in glob.glob(f"\\\\{hunt_dir\\\\}/*.json"):
try:
with open(json_file, 'r') as f:
data = json.load(f)
if data.get('threat_level', 0) > 5:
results.append(\\\\{
'file': json_file,
'threat_level': data.get('threat_level'),
'detections': data.get('detections', [])
\\\\})
except:
continue
print(f"Threat Hunting Summary - \\\\{len(results)\\\\} high-risk items found:")
for result in sorted(results, key=lambda x: x['threat_level'], reverse=True):
print(f"- \\\\{result['file']\\\\}: Threat Level \\\\{result['threat_level']\\\\}")
PYTHON
echo "Threat hunting complete. Results saved to $HUNT_DIR"
EOF
chmod +x threat_hunting.sh
Dépannage
Questions communes
# API key configuration issues
malwoverview --test-apis
# Network connectivity issues
malwoverview --test-connectivity
# Permission issues
sudo chown -R $USER:$USER ~/.malwoverview
chmod 600 ~/.malwoverview/malwoverview.conf
# Python dependency issues
pip3 install --upgrade requests colorama configparser pefile python-magic
# File magic issues
sudo apt install libmagic1 libmagic-dev
pip3 install --upgrade python-magic
Mode de débogage
# Enable debug logging
malwoverview -f file.exe --debug
# Verbose output
malwoverview -f file.exe -v
# Log to file
malwoverview -f file.exe --log-file analysis.log
# Test specific API
malwoverview --test-api virustotal
# Check configuration
malwoverview --show-config
Optimisation des performances
# Increase timeout for slow APIs
malwoverview -f file.exe --timeout 60
# Reduce rate limiting
malwoverview -f file.exe --rate-limit 1
# Use caching
malwoverview -f file.exe --cache-results
# Parallel processing
malwoverview -d /samples/ --threads 3
# Memory optimization
export PYTHONOPTIMIZE=1
ulimit -v 1048576 # Limit virtual memory
*** Avis de sécurité** : Malwoverview est un outil d'analyse des menaces et des logiciels malveillants qui devrait être utilisé de façon responsable et conformément aux lois et règlements applicables. Lors de l'analyse des fichiers suspects ou des URL, assurez-vous d'avoir une autorisation appropriée et de fonctionner dans un environnement sécurisé et isolé. L'outil s'intègre à divers services tiers, donc soyez attentif à la confidentialité des données et aux politiques de partage. Vérifiez toujours la légitimité des échantillons avant l'analyse et suivez les procédures d'intervention en cas d'incident de votre organisation pour gérer les menaces potentielles.
** Ressources supplémentaires** : - [Répertoire GitHub de Malwoverview] (LINK_4) - [Documentation de l'API VirusTotal] (LINK_4) - Documentation de l'API d'analyse hybride - [Comparaison des plates-formes de renseignement de menace] (LINK_4)